Some random thoughts about crypto. Notes from a course I teach. Pictures of my dachshunds.

Matthew Green

I'm a cryptographer and professor at Johns Hopkins University. I've designed and analyzed cryptographic systems used in wireless networks, payment systems and digital content protection platforms. In my research I look at the various ways cryptography can be used to promote user privacy.

Archives

Dear Apple: Please set iMessage free

Normally I avoid complaining about Apple because (a) there are plenty of other people carrying that flag, and (b) I honestly like Apple and own numerous lovely iProducts. I’m even using one to write this post.

Moroever, from a security point of view, there isn’t that much to complain about. Sure, Apple has a few irritating habits — shipping old, broken versions of libraries in its software, for example. But on the continuum of security crimes this stuff is at best a misdemeanor, maybe a half-step above ‘improper baby naming‘. Everyone’s software sucks, news at 11.

There is, however, one thing that drives me absolutely nuts about Apple’s security posture. You see, starting about a year ago Apple began operating one of the most widely deployed encrypted text message services in the history of mankind. So far so good. The problem is that they still won’t properly explain how it works.And nobody seems to care.

I am, of course, referring to iMessage, which was deployed last year in iOS Version 5. It allows — nay, encourages — users to avoid normal carrier SMS text messages and to route their texts through Apple instead.

Now, this is not a particularly new idea. But iMessage is special for two reasons. First it’s built into the normal iPhone texting application and turned on by default. When my Mom texts another Apple user, iMessage will automatically route her message over the Internet. She doesn’t have to approve this, and honestly, probably won’t even know the difference.

Secondly, iMessage claims to bring ‘secure end-to-end encryption‘ (and authentication) to text messaging. In principle this is huge! True end-to-end encryption should protect you from eavesdropping even by Apple, who carries your message. Authentication should protect you from spoofing attacks. This stands in contrast to normal SMS which is often not encrypted at all.

So why am I looking a gift horse in the mouth? iMessage will clearly save you a ton in texting charges and it will secure your messages for free. Some encryption is better than none, right?

Well maybe.

To me, the disconcerting thing about iMessage is how rapidly it’s gone from no deployment to securing billions of text messages for millions of users. And this despite the fact that the full protocol has never been published by Apple or (to my knowledge) vetted by security experts. (Note: if I’m wrong about this, let me know and I’ll eat my words.)

What’s worse is that Apple has been hyping iMessage as a secure protocol; they even propose it as a solution to some serious SMS spoofing bugs. For example:

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.

And this makes me nervous. While iMessage may very well be as secure as Apple makes it out to be, there are plenty of reasons to give the protocol a second look.

iMessage is not just two phones talking to each other with TLS. If this partial reverse-engineering of the protocol (based on the MacOS Mountain Lion Messages client) is for real, then there are lots of moving parts. TLS. Client certificates. Certificate signing requests. New certificates delivered via XML. Oh my.

As a general rule, lots of moving parts means lots of places for things to go wrong. Things that could seriously reduce the security of the protocol. And as far as I know, nobody’s given this much of a look. It’s surprising.

Moreover, there are some very real questions about what powers Apple has when it comes to iMessage. In principle ‘end-to-end’ encryption should mean that only the end devices can read the connection. In practice this is almost certainly not the case with iMessage. A quick glance at the protocol linked above is enough to tell me that Apple operates as a Certificate Authority for iMessage devices. And as a Certificate Authority, it may be able to substantially undercut the security of the protocol. When would Apple do this? How would it do this? Are we allowed to know?

This is obviously not a technical post. I’m not here to present answers, which is disappointing. If I knew the protocol maybe I’d have some. Maybe I’d even be saying good things about it.

Rather, consider this post as a plea for help. iMessage is important. People use it. We ought to know how secure it is and what risks those people are taking by using it. The best solution would be for Apple to simply release a detailed specification for the protocol — even if they need to hold back a few key details. But if that’s not possible, maybe we in the community should be doing more to find out.

Remember, it’s not just our security at stake. People we know are using these products. It would be awfully nice to know what that means.

Related

Post navigation

57 thoughts on “Dear Apple: Please set iMessage free”

I think people don't care because whatever Apple is doing with iMessage isn't going to be less secure than the tech it is replacing (traditional SMS). Also iMessage saves people money vs. carrier based text messages.

Not saying someone shouldn't look at it to see what it does, but rather answering the question of why there has been a collective shrug.

Maybe, maybe not. For one thing, iMessages travel over unsecured WiFi networks if you happen to be connected to one (say, at Starbucks). That makes them much more vulnerable to casual sniffing than SMS which requires specialized, regulated hardware.

Another concern is that 'end-to-end encryption' means something to people. Given enough marketing hype people may start to view iMessage as a secure protocol, where they would have proper reservations about SMS. That could lead to overconfidence.

Finally: people look at all sorts of ridiculous stuff. A major deployed protocol is a lot less shrug-worthy than some of the specialized stuff you see at the major conferences.

Several high profile services use SMS as a second channel to send one-time passwords in two-factor authentication. It would be a great benefit for them if Apple opened up the iMessage spec and a public API.

Anon, I wouldn't rely on the community presenting iMessage hacking in the open. First, there's a lot of money to be earned in selling such eavesdropping hacks to governments. Second, there might be a lengthy responsible disclosure process after reporting such a bug (synchronized iOS and iMessage for Mac OS patching for starters).

Well, about the security of protocol is one thing. However, I am delighted to see that Apple created something to push telco operators harder against the corner by “finding” replacement for SMS. For while, I am thinking again that we get rid of the numbering scheme and start really to obtain multi-identity, multi-presentation agreements.

What comes to the security then. This protocol is indeed complex and somehow it feels somewhat inefficient as well, for example by doing DNS queries instead of having the query inside of the envelope in first place. Yes, yes – all the load balancing etc. may require such work, which could be handled other ways too. The multitude stages of key management makes me wonder in case the “manager” creates, verifies and stacks the collaboration to an cloud identity to store the data.

Also – there might (is) be a bit of difference with mobile devices and OSX application. Would this potentially work same way on iPhone?

Then, why Apple uses potentially blocked port on host (5223) to maneuver some parts of the collaboration. By taking the context and protocol structure, use of widely accessible ports would be more than desirable. Just does not make feasible sense, even feeling about the XMPP.

The parts of the protocol with Unknown status could be part of the user identity & authentication package, the second for device signature authentication payload – both to assure the non-repudiation of origin.

It sure looks like Apple has tried to make the initial messaging here safe, but what happens to the data held in Apple's cloud – how well secured it is?

This is perhaps the one of the most idiotic things I've read. Please open up the ONE of the few things that differentiate iOS devices so that they can be included in others as well. Technical openness != smart business decision unless everyone agrees and spots the same standard and gains something out of it.

As interesting as it would be to find out more about iMessage and how secure it is, I still don't agree with it being a good idea to have open documentation about it's inner workings (other than those by security researchers). However it makes me wonder how secure is Blackberry Messenger? It's widely used by almost every Blackberry owner and is RIM are known for their enterprise security maybe Apple employ the same technologies and methods for securing our data as they do.

Apple is using Apple ID's as secure domain names, which are identical to Secure SIP URI's (e.g. SIPS addresses which look like email addresses). This is described in concept in RFC 3263 put out by the IETF. The Apple ID's are registered with Apple Secure Servers, and when Apple users want to communicate with other Apple users, both users must be registered / authenticated with Apple Secure DNS servers. This is a secure Apple Domain, which they control, which is the reason none of this works cross-platform.

The Apple ID is built on SIPS addresses. But, Apple is finding out that all of these security elements were not open – they were invented by scientists at SAIC around 2000, and patented. The patents are now owned where the scientists are – a company called VirnetX – who is suing Apple for using their technology (e.g. VPN on demand, FaceTime security protocols, iMessage).

VirnetX patents are the foundation for automatic end-to-end security that Apple claims they have. And they do, because they are using VirnetX technology. And here's the best part: This technology is foundational to securing SIP, which is the protocol Advanced 4G networks has selected. So, very soon, globally, all will be using inventions by VirnetX for secure device to device communications – cross platform…

Everybody check out XMPP + OTR! These are open standards readily available NOW and there are clients available for almost every platform, some even support voice or video chat: Jitsi, Adium, pidgin, Psi+, Trillian, miranda, Xabber, IM+, Beem, gibberbot, ChatSecure, …

probably around 99% of all iPhone users use iMessage as it's turned on by default. That's a lot of people. If apple didn't mention it to be secure – that's fine, but since they do, it should probably be hacked a bit by security experts to check for flaws because I'm sure some black hats are already doing it anyway. Many people say many things are secure and we should never just believe them.

Sure, there are secure messaging products but they don't have such a major deployment. The deployment size + security perception makes iMessage a risky thing not to check.

iMessage is great but as with any service that uses the Internet, in the event of some disaster (say an earthquake for those of us in Calif.) the odds are an SMS message MIGHT get through but data connectivity probably isn't going to be there. Naturally, it all depends, but in the event of disasters, even man-made disasters like a bridge collapse, the authorities want you to use SMS, not voice calls, even.

Nice post Matt! As the iPhone4S is my first official iOS-based phone, I was not aware of the distinction between iMessage messages and SMS. I might add that this is because I don't often read the marketing stuff Apple posts about their devices; the usual mindless mantra that everything rocks – if you want to rock, get one of these (brilliant marketing I might add). Back to the point, I came across the difference between the two when I was jail breaking my phone and had stumbled on a few iMessage modification apps and then onto posts concerning the message colors of iMessage. Wow, I thought. Blue is an iMessage and Green is an SMS/MMS. Intuitive! That was sarcasm.

I believe that with the advent of BYOD, and marketing forecasts that Android is winning the mobile battle but Apple is more accessed in the Business domain that we should tread carefully with such usability issues of applications. What I am trying to get at is, if I have a warm and fuzzy feeling that my iMessage app is using end-to-end encryption then I'll send business confidential info to my buddy. My buddy, however, has a BlackBerry (gasp – not that). My buddy doesn't get the end-to-end encryption and I am probably none-the-wiser. I just sent out the secret pepsi formula over SMS.

All of that said, seeing as I have a jailbroken device, it might be nice to explore the proxy design for doing unintended stuff with Siri and see if its applicable here.

Matthew, the worst part of the iMessage process is something that you did not touch upon. I had an iPhone 4s and recently jumped ship and picked up a Galaxy S3. Apparently if you don't turn off iMessage on your iPhone before switching to another device the iMessage servers will not release your number. To make a long story long, all of my iPhone using friends have difficulty sending me text messages now because their phones are sending me messages as if I am still connected to iMessage. After contacting Apple it has become blatantly obvious that they don't particularly care about helping Android defectors.

Yea, just because a wifi network is insecure doesn't mean the traffic flowing over it insecure. You're talking about different layers of the OSI model here. Wifi, when it's protected, is encrypted at layer 2 or the Data Link layer. iMessage traffic is certainly encrypted in and of itself. This may be done at the network layer, but it's more than likely that it's done at the application layer through https. So someone on the same wifi network may be able to “sniff” out the packets and see the traffic, but that traffic would need to be decrypted. This is no different than making a purchase from amazon while sitting in starbucks. Even though the wifi is insecure, amazon's website is not. With that in mind, you can rest assured that if someone is going to intercept your iMessage while at starbucks, it's going to be the guy looking over your shoulder, not the random hacker in his car outside.

Okay so i have an ipod touch, and i have ios 5, and my friend just got her ipod touch and i helped her download ios5 but how do you use the messaging feature? how would you add a contact if it doesnt use actual phone numbers? i dont get it help plz?

Where it is really annoying is when an iphone user doesn't have data, and imessage keeps sending an imessage instead of a text – meaning till the user is on wifi they won't get your messages. yes it tells you not delivered but sometimes you send a quick message and don't check whether it's delivered or not

I want to be able to choose when to send a text, not have to go and switch imessage off to send a text

I have an iPhone. I have a PC. I use iMessage and Trillian. Apple's unwillingness to interoperate with non-Apple environments is anachronitic, especiaolly in light of he thrashing Microsoft delivered in the last technology cycle Apple insisted on maintaining such an island of automation strategy. Not suggsting that Microsoft will similarly out-perform Apple this round, but have “we” learned nothing?

There is, however, one thing that drives me absolutely nuts about Apple's security posture. You see, starting about a year ago Apple began operating one of the most widely deployed encrypted text message services in the history of mankind. So far so good. The problem is that they still won't properly explain how it works.I really like your blog and have one with similar information. If you have time check it out.Security systems

Just wanted to throw it out there that I recently switched from a GS3 with sprint to a droid razr hd with verizon, and I am now able to group message with imessage users without any problems. No clue how to get this to work with other android devices, but I will be looking into why it works on this specific device.

It was great to land on this blog post and to read such amazing stuff. Your blog is full of authentic and highly-researched information that is worth reading. I will surely recommend your blog to my fellows!

Hi would you mind stating which blog platform you're using? I'm looking to start my own blog in the near future but I'm having a difficult time deciding between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your layout seems different then most blogs and I'm looking for something completely unique. P.S My apologies for being off-topic but I had to ask!

Even over insecure wifi, end-to-end encryption will use public/private key pairs, meaning your traffic is still secure (assuming perfect protocol, see below). As a cryptographer and research professor, you should know this.

The main issue lies in that the protocol is not public knowledge, so if a hole is discovered it could be detrimental to users.

I know this isn't exactly in line with what you were frustrated about, but I'm pretty sure Apple complies with subpoena requests for iMessages quietly rather than refuse to cooperate or try to battle them in open court. If Apple has the ability to fulfill subpoena requests, they likely have the ability to decrpyt the messages, unless they're handing over strings of encrypted data to law enforcement. In that case, it's likely that the feds with resources have been able to crack some of them.

Yes, Apple is the CA for iMessage. But you're making some discomforting suggestions, that the/some government can just march into Apple and demand they issue false certificates for arbitrary devices. Can they do that to Verisign, or any other CA issuing web server certs? If so, I haven't heard of it. Why do you think it would be any different for Apple? And if they can just compel any CA to issue false certificates, we're all doomed.

To a normal person, yeah, it seems that as long as we are able to save by it then why not just use it but for those who are learned and knows how our security maybe compromised, then yes, apple must really make things clear in paper.